Passpack’s Whitelist…It’s Unanimous

We previously mentioned our thoughts on Passpack and OpenID. The feedback was almost unanimous. You as users all seemed to be opposed to the idea of having a Passpack whitelitst for OpenID providers.

Just for clarity’s sake, the idea only came into our heads because we were trying to keep consistent with level of security we like to offer Passpack users.

So What Is Our Take On the Issue Now?

We have decided that the OpenID providers that work well with Passpack will be presented on the Passpack Sign In Page.

*An important note – we have verified that logging in with a delegated name from one of these providers should be no problem.

But We Don’t Want To Limit You

As we have always stressed – your Pack is yours. Login with whichever OpenID you prefer but there are 2 things I would like to point out:

1. If you try to login to Passpack with any OpenID provider that has been submitted to PhishTank as a suspected phishing site, Passpack will warn you.

2. Even if you don’t see an icon for your preferred OpenID provider, you can still use it at your discretion by clicking the appropriate icon.

Let us know what you think!


4 responses to “Passpack’s Whitelist…It’s Unanimous

  1. Isn’t that list of icons going to get HUGE eventually? How about also including an autocomplete feature as you type into the box? And is a warning good enough for a phishing site? I think it’s probably best just to block that site until it’s off the phishing list.

    Other than those minor things, this is amazing, thanks for supporting openid!

    (will there openid support for passpack offline btw?)

  2. Great to hear that you’re going to use the PhishTank API (just took a look at the comments in “A question for..”).

    Although, I still think that sites listed in phishtank shouldn’t just show a warning. A warning can “potentially” be bypassed if the user’s browser has malicious software.

    Even though it’s not likely, it’s possible, thus it is a security issue. I’d deny any sites using PhishTank, as your chance of finding legit sites on PhishTank is extremely small.

    Better safe than sorry. Especially with 100 potential passwords.

  3. @TB
    No, that list shouldn’t get too long. We’re only putting a select few OPs in there. The rest will be accepted, but just typed in manually.

    OpenID support for Desktop and Offline? Oh dear, I have no idea. You’re too far ahead :)

    We’re having some internal debate here on whether or not the PhishTank sites should be blocked completely. My vote goes to blocking… we’ll see how that goes (so far I’m loosing).


  4. Pingback: Passpack And OpenID: Under the Hood « Passpack Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s